Interesting essay. If you're interested I've posted a rebuttal for the
list administrators' consideration:
http://starboard.flowtheory.net/blog/?q=node/170
-jag
On Feb 25, 2006, at 3:32 AM, Nicolas Lehuen wrote:
> That is called "Reply-To Munging" and is considered harmful by some.
>>http://www.unicom.com/pw/reply-to-harmful.html>> Regards,
> Nicolas
>> 2006/2/25, Joshua Ginsberg <listspam at flowtheory.net>:
>> Wow -- I'm the administrivia whore today... sorry about that...
>>>> Why don't we configure the list to have the reply-to be back to the
>> list? :-) I can't tell you the number of times I hit reply instead of
>> remembering to hit "Reply All", a button which I generally consider to
>> be the brainchild of Satan.
>>>> -jag
>>>> On Feb 24, 2006, at 7:59 PM, Graham Dumpleton wrote:
>>>>> Please keep followups on mailing list. :-(
>>>>>> On 25/02/2006, at 11:28 AM, Robert Thomas Davis wrote:
>>>>>>> Graham
>>>>>>>> ...finally got everything up and running with the new
>>>> version :) Now I get a NameError exception on the
>>>> call to validate_user (which, at least, is a step in
>>>> the right direction)!!
>>>>>>>> Do you have any suggestions as to what would be a
>>>> better way to structure this so I don't encounter that
>>>> issue? Basically what I am trying to accomplish is
>>>> the following...
>>>>>>>> There will be more defs in index.py (like the devices
>>>> def) whose contents I want to protect. I want to
>>>> ensure that the user will have to enter their
>>>> user/passwd anytime attempts are made to access these
>>>> functions (unless the current session is still valid
>>>> of course). After reading that article you references
>>>> it seems I would need to move the validate_user
>>>> function to an outside module and then import it
>>>> inside the def __auth__()??
>>>>>> Personally I wouldn't use the mod_python.publisher authentication,
>>> but that is a topic for another time.
>>>>>> If you must use the mod_python.publisher support for basic
>>> authentication,
>>> then use a wrapper class to do it. If you have Python 2.4, you could
>>> even
>>> use decorators for the purpose to make it a really clean solution.
>>>>>> Basic code is:
>>>>>> from mod_python import apache
>>>>>> class Restricted:
>>> def __init__(self,method,realm="Restricted Access"):
>>> self.__call__ = method
>>> self.__auth_realm__ = realm
>>> def __auth__(self,req,user,password):
>>> apache.log_error("__auth__")
>>> return user == "mickey" and password == "mouse"
>>>>>> def index(req):
>>> return "index"
>>>>>> def page1(req):
>>> return "page1"
>>>>>> def page2(req):
>>> return "page2"
>>>>>> page2 = Restricted(page2)
>>>>>> The "Restricted" class acts as a wrapper around the published
>>> function.
>>> The auth functions are actually in the wrapper class. Because the
>>> wrapper
>>> class is at global scope, you don't have the problem with nested
>>> functions
>>> that you are seeing.
>>>>>> I don't have Python 2.4, so can't give you a solution which uses
>>> decorators,
>>> but I am sure that someone else on the mailing list who has and
>>> understands
>>> decorators could provide so code pretty quick. The ideas with
>>> decorators
>>> is you should be able to setup the code so all you need to do is
>>> something
>>> like:
>>>>>> def index(req):
>>> return "index"
>>>>>> def page1(req):
>>> return "page1"
>>>>>> @restricted
>>> def page2(req):
>>> return "page2"
>>>>>> The decorator would do the magic of wrapping the function for you
>>> automatically.
>>> To me this would be a really clean solution, although possibly
>>> restricted to use
>>> of functions.
>>>>>> Anyone want to step up and provide a decorator solution for this?
>>>>>>> Also, do any RPMs exist for these more recent versions
>>>> of mod_python OR is there a documented procedure for
>>>> building a mod_python RPM from the recent releases?
>>>>>> I imagine someone will put together an RPM for 3.2.7/3.2.8
>>> at some stage. This is usually done by someone attached to
>>> the maintainers of the Linux distribution and not the mod_python
>>> folks though.
>>>>>> Graham
>>>>>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote:
>>>>>>>>> Robert Thomas Davis wrote ..
>>>>>> Graham
>>>>>>>>>>>> Sorry...your replies were be sent to the "bulk"
>>>>>> folder...glad I checked it before just deleting
>>>>> all!
>>>>>>>>>>>> I am using mod_python 3.1.3 with apache 2.0.53 on
>>>>>> Fedora Core 3.
>>>>>>>>>> Any chance you can upgrade to mod_python 3.2.7? I
>>>>> really can't find
>>>>> any problem with the basic structure of what you are
>>>>> doing, but there
>>>>> have been fixes to publisher in 3.2.7 that may mean
>>>>> I am not seeing
>>>>> the problem.
>>>>>>>>>>> The url I use to access the "devices" page (the
>>>>> one I
>>>>>> would like to protect) is
>>>>>http://localhost/devices.>>>>>>>>>>>> I do agree about having the info on the mailing
>>>>> list
>>>>>> so others could learn from it; maybe we can post
>>>>> the
>>>>>> results.
>>>>>>>>>> The ongoing discussion is also useful, as the actual
>>>>> debugging process
>>>>> itself can be just as useful as the final result.
>>>>> Thus, use reply-all.
>>>>>>>>>> Graham
>>>>>>>>>>> Thanks,
>>>>>>>>>>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote:
>>>>>>>>>>>>> BTW, I can't seem to find that you have ever
>>>>> said
>>>>>>> exactly which version
>>>>>>> of mod_python you are using. Are you using the
>>>>>>> latest version?
>>>>>>>>>>>>>> Graham
>>>>>>>>>>>>>> Graham Dumpleton wrote ..
>>>>>>>> Still generally prefer it to be on the mailing
>>>>>>> list as other people can
>>>>>>>> learn from it and it is in the mailing list
>>>>>>> archive as well, so people
>>>>>>>> down the track may find it as well and it may
>>>>>>> solve a problem for
>>>>>>>> them also.
>>>>>>>>>>>>>>>> One more question. What URLs are you using to
>>>>>>> access the resources
>>>>>>>> so I can relate that properly to the Apache
>>>>>>> configuration and the
>>>>>>>> published functions in the file?
>>>>>>>>>>>>>>>> Graham
>>>>>>>>>>>>>>>> Robert Thomas Davis wrote ..
>>>>>>>>> Hell graham
>>>>>>>>>>>>>>>>>> I really appreciate your help with
>>>>> this...and
>>>>>>> since
>>>>>>>>> you have been the only one responding I
>>>>> thought
>>>>>>> I
>>>>>>>>> might as well just mail you the files in
>>>>>>> question
>>>>>>>>> (index.py and httpd.conf, attached as a
>>>>> .tgz)
>>>>>>>>>>>>>>>>>> The file index.py would normally live in the
>>>>>>>>> directory:
>>>>>>>>> /usr/local/lap/http/
>>>>>>>>>>>>>>>>>> Based on your last reply I am wondering if
>>>>> it is
>>>>>>> my
>>>>>>>>> httpd.conf file that is setup incorrectly (i
>>>>> do
>>>>>>> not
>>>>>>>>> get the 500 error at all). When the
>>>>> enclosed
>>>>>>> code
>>>>>>>>> gets executed it appears as though it skips
>>>>>>> right over
>>>>>>>>> the nested __auth__ fuction. However, if
>>>>> that
>>>>>>>>> function is moved to the module scope
>>>>> (index.py)
>>>>>>> it
>>>>>>>>> always gets called and subsequently calls
>>>>> the
>>>>>>>>> validate_users function.
>>>>>>>>>>>>>>>>>> Again...your help is much appreciated.
>>>>>>>>>>>>>>>>>> Rob
>>>>>>>>>>>>> _______________________________________________
>>>>>>>> Mod_python mailing list
>>>>>>>>Mod_python at modpython.org>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>http://mailman.modpython.org/mailman/listinfo/mod_python>>>>>>>>>>>>>>>>>> _______________________________________________
>>> Mod_python mailing list
>>>Mod_python at modpython.org>>>http://mailman.modpython.org/mailman/listinfo/mod_python>>>> _______________________________________________
>> Mod_python mailing list
>>Mod_python at modpython.org>>http://mailman.modpython.org/mailman/listinfo/mod_python>>